Closed Bug 255921 Opened 21 years ago Closed 21 years ago

Invalid certificate / same serial number as another certificate

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 171277

People

(Reporter: mozilla, Assigned: KaiE)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 If you press "om selvbetjening", "om sikkerhed" (or tries to log in) an alert box arrives with: "You have recived an invalid certificate. please contact the sever administrator or email correspodent and give them the following information your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number" Problem have been testet on 4 different computers (all located in Denmark) Problem have been tested with mozilla 1.7, 1.7.2 and firefox 0.9 on linux, and mozilla 1.7.2 on windows But no problem with mozilla 1.6 (linux) or mozila 1.4(windows) - I don't know if this is an bug or related to wrong authority certificates. - I have talked with the issuer of the certificate (TDC, witch is a part of the same company as the owns tdcmobile) but they can't find any problems Reproducible: Always Steps to Reproduce: 1. ether use the link https://access.tdc.dk/servlet/getAccessLogin?URI=https://access.tdc.dk/cgi-bin/getAccess/pmda.gas.bat%3FMDURI%3Dhttps://selvbetjening.tdcmobil.dk:443/Krumm/jsp/private/login.do%26SMDAURI%3Dhttps://selvbetjening.tdcmobil.dk:443/sek-bin/smda.gas.bat%26SD%3D.tdcmobil.dk&LOCALE=da_DK&AUTHMETHOD=UserPassword or : 1. goto www.tdcmobile.dk 2. press "Privat" (next to "Log ind" at the right side of the screen) 3. press "Log ind" (on the right side of the screen) now press "om selvbetjening" or "om sikkerhed" in the left menu, this shuld result in the Alert box with the information.
-> PSM
Assignee: general → kaie
Component: Browser-General → Client Library
Product: Browser → PSM
QA Contact: general
Version: Trunk → 1.01
Niels, I can not reproduce your problem with Mozilla 1.7.2 on Linux. What happens if you try it with a new profile? I suspect your certificate database contains a certificate that got imported in some way, and is now causing the conflict you see. If my suspicion is correct, it will work for you with a new profile. If it does, you can try to use certificate manager to search for and delete the conflicting certificate.
On a RH9 / Mozilla 1.7.2 I just created a new blank user for test The problem still exist there. The only certificates that exist here is the standard under certificate manager / athorities (no 'yours', 'others' or 'web sites' certificates)
I have noticed the same problem on Fedora Core2/Mozilla 1.7.2 and Firefox 0.9, Windows 2000/Mozilla 1.7.1. I have also isolated the problem to one site, which is NOT access.tdc.dk (the site displaying SSL-secured login page above.) If I type https://selvbetjening.tdcmobil.dk/ into the urllocator I get the popup right away. If you leave out the s in https you are redirected to access.tdcmobil.dk. According to www.certifikat.dk, the serial number of selvbetjening.tdcmobil.dk is 3e2c257b, while access.tdc.dk has several serial numbers, some of them invalidated. Kai: You said the problem does not exist on your system. That should mean, that you can read the server certificate? Is it the same as the one above?
Leif, I still do not see your problem. On Fedora Core 2, with RedHat's officially distributed update packet Mozilla 1.7.2, using a fresh Mozilla profile, when I open https://selvbetjening.tdcmobil.dk/ I do not get a popup, I do not get an error message, but I'm immedialely redirected to http://www.tdcmobil.dk/portal/index.jsp
Yes - The direct link https://selvbetjening.tdcmobil.dk/ does not result in the error popup always. I get redirected too sometimes (f.ex. when I am sitting behind a proxy/firewall, as right now) to http://www.tdcmobil.dk/portal/index.jsp. But following Niels direct link or his step by step clicks after redirection gives the popup from Mozilla 1.7.2 also from this system (Win2000), while IE does not. I would like to point out, that though Niels and I have tested several locations and systems, I do believe, that they all resolve to .dk on reverse lookup. It may account for different server behavior from tdcmobil.dk and tdc.dk. I would be willing (from next week) to help with debugging or trace on my homes system, if it can shed som light on this problem. Not being able to gain access to your mobile phoneprovider from the latest mozilla is not nice! ;-)
Is it somehow possible to get the alert window to tell what serialnumber/url there is conflicting ?
FYI: I have just done a full reinstall of FC2 on a blank disk (KDE, no gnome, developer, us install & danish-latin1 kbd), done a 'up2date' of only the mozilla components. But, no change, the alert is still there.
This bug is reproducible when a self-signed certificate has a serial number of 0 (or "00"). Verified as existing in Mozilla-1.7.3 for Linux and Mozilla-1.7.2 for Windows. "You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. [ OK ]" Konqueror says: Certificate State: Certificate is self-signed and thus may not be trustworthy. Valid from: Saturday 18 September 2004 1:27:04 am GMT Valid until: Monday 11 September 2034 1:27:04 am GMT Serial number: 0 MSIE says: Serial Number 00. Netscape 7.2 does the right thing: It displays two pop-ups but allows you to choose to continue. This bug prevents access to network devices with embedded self-signed certificates.
Code that issues self-signed certs, and always issues the same serial number, namely 00, to all of them, is simply not generating standards-compliant certs. It's not mozilla's job to "work" with certs that are invalid for ANY reason. SSL is for security, not for playing with crypto, not for playing with invalid certs. See if there's a newer version of the software that issues those certs, one that issues unique serial numbers. If so, use that version instead. *** This bug has been marked as a duplicate of 171277 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Product: PSM → Core
Version: psm1.01 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.